The 90’s Called: They Want Their Technology Back

SANS ICS Summit

Stephen Hilt @sjhilt

Philippe Lin @miaoski

Why Pagers?

•Integrated with healthcare workflow

•SMS-to-Pager

•Email-to-Pager

2

Legal Disclaimer

It might be illegal to

• Spoof

• Sniff and store the data

• Sniff but not store the data

• Decrypt

3

Huh? It’s already 2016

•To avoid interference

•Places with weak signal

•Physical security standard for SCIF(Sensitive Compartmented Information Facilities)

4

PHS J-88

History of Pagers

•Launched in 1950s in Hospitals in NYC – $12 a month for 25 miles of coverage

•1962 Bell System: radio paging system at the Seattle World’s Fair

•2001 Motorola stopped making new pagers.

•Multiple Protocols in use– POCSAG

– FLEX

– ReFlex, Golay, Inmarsat, etc.

5

6

Pagers Once a Symbol of Cool

In USA143 = I love you

607 = I miss you

406 = Hugs and kisses

911 = Call me now

601 = Happy B-Day

1134209 = Go to h311

Protocol - POCSAG

•Post Office Code Standardization Advisory Group– 512, 1200 and 2400 bps

– Bandwidth 9 kHz, FSK

7

Source: http://www.raveon.com/pd les/AN142(POCSAG).pdf.

32-bit FSC

Protocol - FLEX

8

• By Motorola

• 1600, 3200 or 6400 bps

• Bandwidth 5 kHz, FSK or 4FSK

• Time syncs instead of always listening for a preamble to save battery

• 128 Frames in 4 minute time cycle, 15 cycles per hour

Frequencies

9

•Primary focused areas for our research

Country Frequency (MHz) Protocol

USA

928.964, 929.015, 929.359,

929.562, 929.585, 929.612,

929.630, 929.663, 929.683,

929.785, 929.887, 930.263,

930.762, 930.788, 931.012,

931.038, 931.063, 931.113,

931.463

FLEX

Canada 929.212, 931.612 FLEX

Japan 282.0125, 283.0850,

283.7625, 283.8625 POCSAG

Setup to Sniff Pages

•POCSAG and FLEX

•All can be sniffed with a DVB-T Dongle

•~ $20 at Hak5, Amazon, etc.

10

Setup to Sniff Pages

11

GQRX

•Identify the protocols (GQRX, SDR#)

12

POCSAG

FSK

9 kHz

pager_rx.py

•GNU Radio Python script that sniffs FLEX protocol

•Multiple frequencies at the same time

13

https://github.com/argilo/sdr-examples

Breakdown of Data

14

•Research period: Feb – Jun, ‘16

Example Message Format

15

Industrial

16

Power Plants

17

Substations

18

Chemical Company A

19

Chemical Company A

20

Chemical Company B

21

Chemical Company B

22

HVAC

23

Observed Orlando

24

Demo!

25

Using SMS to Pager Gateway (1)

26

Using SMS to Pager Gateway (2)

•CallXPress : Speech-to-text summary

•SPOK : Former USA Mobility

•Can be integrated with phonebook + CallerID

27

Using Email to Pager Gateway (1)

•WhosCalling : Email for missed calls

•WebCTRL®: BAS from Automated LogicSubject: WebCTRL CHW System Alarm (CRMF Chiller BACnet) – [DATETIME]: CRMF Chiller BACnet - Chiller 18 Bacnet communication is offline. (CH18_COMM)

•METASYS®: BAS from Johnson ControlsMSHAADX25-001:FWNAE-02/FC-2.AHU-12.SF-S Item Category FWCH-HVAC

» FQR fully qualified references

28

Using Email to Pager Gateway (2)

•Easy to identify the location of events

29

CallerID System

•Make a phonebook

•Recon

» Pretend being the most frequent sender?!

30

Voicemail Summary

•Like CallXPress, might be another system

31

IT Industry - Passcodes

•System may be deployed in sensitive sectors

32

Security Industry

• CVE-2016-0068 Microsoft® Internet Explorer® Elevation of Privilege Vulnerability

• CVE-2016-0936 Adobe® Acrobat® Memory Corruption Vulnerability

• CVE-2016-0938 Adobe Reader® and Acrobat Memory Corruption Vulnerability

• CVE-2014-1791 Microsoft Internet Explorer Memory Corruption Vulnerability

• CVE-2016-0007 Microsoft Windows Mount Point Privilege Escalation Vulnerability

• CVE-2014-6366 Internet Explorer Memory Corruption Vulnerability

• CVE-2014-0526 Adobe PDF Reader Encoding DCT Vulnerability

• CVE-2015-1666 Internet Explorer CMetaElement code execution

• CVE-2016-0966 Adobe Flash® Player Memory Corruption Vulnerability

• CVE-2016-0091 Windows OLE Memory Remote Code Execution Vulnerability

• CVE-2016-0098 Apache Server Multiple Vulnerabilities

• Apache mod_cgi Bash Environment Variable Code Injection

• Mozilla Firefox nsFrameManager Remote Code Execution Vulnerability

33

Personal Messages

34

Recon

• Alice (505*******), mostly called by Rose (505*******)

• Aaron (505*******), mostly called by unknown (505*******)

• Bruce (--), mostly called Nancy (505*******)

• Charles (--), whose mother is Elizabeth (505*******)

• Charles (--), whose wife is Jenny (505*******)

• David (--), whose wife is Carol (505*******)

• Fred (--), whose wife or girlfriend is Kate (505*******)

35

Spoofing Pages

36

Spoofing Pages (gr-mixalot)

37https://github.com/unsynchronized/gr-mixalot

Spoofing Pages (gr-mixalot)

38https://github.com/unsynchronized/gr-mixalot

Multimon-ng

Demo!

39

Attacks

• Industrial– If messages are used for real time communications spoof

pages to cause issues.

– Alert maintenance of an issue, system may be taken offline

– Declaring an emergency inside facilities

– Insider power trading information

• Public Sector– Social engineering

– Impersonate a contractor

– Recon for sensitive places

40

Solutions

• Stop using pagers

• Use encrypted pagers

• Don’t leak personal information if pagers are absolutely required

41

Questions?

• http://documents.trendmicro.com/assets/threat-reports/wp-leaking-beeps-healthcare.pdf

• https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_leaking-beeps-industrial.pdf

• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-leaking-beeps-a-closer-look-at-it-systems-that-leak-pages.pdf

Search: Leaking Beeps

42

@sjhilt @miaoski